A criminal threat actor hit Instructure, the company behind the Canvas learning management system, in a cyberattack disclosed this week. CSO Steve Proud confirmed outside forensic experts are investigating but offered no details on scope or what data may have been exposed.
Canvas serves schools, universities, and organizations managing coursework and online learning across institutions. The platform’s reach means any breach could affect students and educators.
Since May 1, Instructure has taken Canvas Data 2 and Canvas Beta offline for maintenance, warning customers of issues with API-dependent tools. The company hasn’t confirmed whether that outage connects to the security incident.
This isn’t Instructure’s first breach. In September 2025, a social engineering attack let attackers access data in the company’s Salesforce instance. ShinyHunters, a prolific threat group, claimed responsibility and listed Instructure on a data leak site. The company now faces questions about whether it hardened its defenses after that incident.
Education technology firms have become prime targets. In January 2025, PowerSchool disclosed that attackers claimed to have stolen data on 62 million students. Infinite Campus faced similar Salesforce-environment attacks.
Instructure says it will release new information as the investigation progresses. The investigation’s timeline and any notification obligations under state breach laws depend on what the forensics team finds — and that clock is already running.
— James Okafor